BigCommerce Launches a Public Bug Bounty Program

Our Public Bug Bounty Program allows security researchers to submit vulnerabilities to the BigCommerce security team.

BigCommerce Launches a Public Bug Bounty Program

Today, we are excited to launch our Public Bug Bounty Program that allows any security researcher to submit vulnerabilities to the BigCommerce security team.

Recent Video: Building Strong Relationships with Cybersecurity Teams

BigCommerce is a leading Open SaaS ecommerce platform serving tens of thousands of B2C and B2B merchants of all sizes in 150+ countries. BigCommerce combines sophisticated enterprise-grade functionality, openness and performance with SMB friendly simplicity and ease-of-use–all in a single platform delivered through the cloud.

Partnering with BugCrowd

Our private program is a major pillar in our cybersecurity program. Since October 2020, we have been running a Private Bug Bounty Program with approximately 490 researchers currently participating.Within the past two years, more than 75% of the vulnerabilities identified were validated (paid/rejected) within four days of the submission. Additionally, we rewarded 114+ vulnerabilities and paid out $43,640 in bounties.

Below is the timeline of vulnerabilities reported per quarter based upon their severity:

Every vulnerability reported is first triaged by our Application Security Engineers to evaluate the validity, risk and impact of the vulnerability. Once verified, we immediately pay the researcher, and the ticket gets added to our internal queue of bugs to be fixed. Based upon the severity of the vulnerability, we have an internal remediation policy that allows the Product and Engineering teams to prioritize a finding.

Check out our current Hall of Fame.

Identify Vulnerabilities, and We'll Pay You

At BigCommerce, we have a strong security culture among various teams which allows us to work in a collaborative manner. Our engineers are well trained on security fundamentals and are always willing to work with us to ensure we ship a secure product.

Related Podcast: Meet Infrastructure Security Engineer Jordan Bodily

We believe by making our program public, more researchers will get an opportunity to submit vulnerabilities. We also consider this as a next step in our security maturity. For us, our Bug Bounty Program is not a replacement for traditional security review but another value add to code reviews, pentesting and red team engagements.

No technology is perfect, and BigCommerce believes that working with skilled security researchers across the globe is crucial in identifying potential weaknesses. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications.


What is a bug bounty program?

A bug bounty is a monetary reward for security researchers who find legitimate security flaws in software.The amount is allocated by each vulnerability found, depending upon various factors like risk, impact and exploitability of the vulnerability.

Where can I learn more about the rules of the program?

You can find more details about the program here.

How are rewards paid?

If a vulnerability qualifies for a bounty, all rewards are paid and managed through BugCrowd.

Why use a vendor instead of a self-managed program?

The vendor oversees crucial steps like vetting/triaging the claim and managing the researcher's expectations. This process allows us to focus our resources on remediating the vulnerability as quickly as possible.

Do bug bounties replace traditional Penetration Testing?

No. This program doesn’t replace any internal/external penetration testing schedules. It allows us to evolve our security measures.

Who is eligible to submit a vulnerability?

Anyone with an account on BugCrowd is eligible to submit a vulnerability. If you don’t have an account already, please sign up here.

What happens after I submit a vulnerability?

Once you submit a vulnerability, one of our friendly Application Security Engineers will review the report and provide a response on BugCrowd.

Who should I contact if I have any questions?

Email, and one of our security team members will get back to you.

More Articles from the BigCommerce Security Team

Meet More BigCommerce Engineers